Proctoring Auto-Authentication Is Not Authentication

Proctoring Auto-Authentication Is Not Authentication

WHY INSTITUTIONS SHOULD BE LEERY OF THIS AUTHENTICATION CLAIM

The latest twist on virtual proctoring – a service to help online school programs protect against cheating – is “auto-authentication,” a way to take the human observation element out and leave it to computers to ensure identity. The process is designed to be cheaper than human-aided proctoring which is typically expensive – averaging more than $20 a student per test. The problem is, it isn’t authentication. Let us explain.

Proctoring “auto-authentication” works like this. A student usually has to create a profile in advance. Then they log into a checkpoint and face various hurdles to make it into the test:

The student shows their ID to a webcam where a picture is taken by the software. This could be anyone

Likely no published independent third party for any comparisons on face scans

He or she may then answer a challenge question or two, like their city of birth or mother’s maiden name

The questions they use may come from the student themselves at initial profile set up = less effective than public based questions

They may then be asked to type a paragraph to create a keystroke pattern/biometric

No published independent third party testing so false positives/negatives could negate the use of keystroke and let anybody in

Students can re-edit their profile anytime without any controls so it could be anyone

There might be a videotape running on the webcam for further “assurance.” Faculty supposed to review this?

Most have no historical reports to catch cheaters and capture patterns required by Dept. of Education

Some claim they use AI and machine learning- Seriously what is the value when they only see the student one time for the exam?

The problem is schools are being sold a feel-good system that students can drive a truck through. It doesn’t qualify as authentication.

Authentication: a system that uses unique physical characteristics to verify identity before entering an electronic system.

Meaning, if you use those unique characteristics for identification, they actually have to be checked. Verified.

Here’s why “auto-authentication” fails. That critical part of authentication does not happen:

There is no comparison of the student’s face picture to a database. It’s just captured information. Nobody is checking the picture. A biometric is always compared to a previous template. Verdict: FAIL

Keystroke analysis has been almost completely ineffective with an accuracy rate that is 27X less accurate than gesture/signatures and does not meet NIST % guidelines for biometrics. Verdict: FAIL

The use of challenge questions. The latest IRS hacking attack made it publicly known that the criminals were able to successfully answer the challenge questions 50% of the time. Why settle for 50%? Verdict: FAIL

Most of these programs ask students to download software onto personal PCs. What if these computers become infected? Verdict: FAIL

Video still has to be actually watched by an actual person. The software just captures the video (or small segments). It can’t sit back with popcorn and watch it. Proctoring companies offload this duty onto overloaded staff that simply can’t make it through hours of video. Verdict: GOOD LUCK WITH THAT

But it’s something, right? Here’s how this can be defeated by enterprising students: